packages/nodejs-hawk
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2022-29167

Browse Source
This commit is contained in:
houyingchao 2022-05-17 10:47:58 +08:00
parent dd43af661f
commit 192c9d5c3b
2 changed files with 127 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

121
CVE-2022-29167.patch Normal file
View File

@ -0,0 +1,121 @@
From ade134119bf1fdc4909d00f5a952c966f0075ad3 Mon Sep 17 00:00:00 2001
From: Yaraslau Kurmyza <yarik@mozilla.com>
Date: Mon, 2 May 2022 13:47:12 +0200
Subject: [PATCH] Parse URLs using stdlib
---
lib/utils.js | 22 ++++++++++++----------
test/server.js | 14 ++++++++++++++
test/utils.js | 6 +++---
3 files changed, 29 insertions(+), 13 deletions(-)
diff --git a/lib/utils.js b/lib/utils.js
index 60d8219..a2a3094 100644
--- a/lib/utils.js
+++ b/lib/utils.js
@@ -4,6 +4,7 @@
const Sntp = require('sntp');
const Boom = require('boom');
+const Url = require('url');
// Declare internals
@@ -22,12 +23,6 @@ exports.limits = {
};
-// Extract host and port from request
-
-// $1 $2
-internals.hostHeaderRegex = /^(?:(?:\r\n)?\s)*((?:[^:]+)|(?:\[[^\]]+\]))(?::(\d+))?(?:(?:\r\n)?\s)*$/; // (IPv4, hostname)|(IPv6)
-
-
exports.parseHost = function (req, hostHeaderName) {
hostHeaderName = (hostHeaderName ? hostHeaderName.toLowerCase() : 'host');
@@ -40,14 +35,21 @@ exports.parseHost = function (req, hostHeaderName) {
return null;
}
- const hostParts = hostHeader.match(internals.hostHeaderRegex);
- if (!hostParts) {
+ if (hostHeader.indexOf('/') !== -1) {
return null;
}
+ let uri;
+ try {
+ uri = new Url.URL('http://' + hostHeader);
+ }
+ catch (err) {
+ return null;
+ }
+
return {
- name: hostParts[1],
- port: (hostParts[2] ? hostParts[2] : (req.connection && req.connection.encrypted ? 443 : 80))
+ name: uri.hostname,
+ port: (uri.port ? uri.port : (req.connection && req.connection.encrypted ? 443 : 80))
};
};
diff --git a/test/server.js b/test/server.js
index 39e66e6..3ef23d6 100755
--- a/test/server.js
+++ b/test/server.js
@@ -551,6 +551,20 @@ describe('Server', () => {
});
});
+ it('errors on an bad host header (includes path and query)', async () => {
+
+ const req = {
+ method: 'GET',
+ url: '/resource/4?filter=a',
+ headers: {
+ host: 'example.com:8080/path?x=z',
+ authorization: 'Hawk'
+ }
+ };
+
+ await expect(Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() })).to.reject('Invalid Host header');
+ });
+
it('errors on an bad host header (pad port)', (done) => {
const req = {
diff --git a/test/utils.js b/test/utils.js
index 6182609..98f2422 100755
--- a/test/utils.js
+++ b/test/utils.js
@@ -64,7 +64,7 @@ describe('Utils', () => {
method: 'POST',
url: '/resource/4?filter=a',
headers: {
- host: '[123:123:123]',
+ host: '[123:123::123]',
'content-type': 'text/plain;x=y'
},
connection: {
@@ -82,7 +82,7 @@ describe('Utils', () => {
method: 'POST',
url: '/resource/4?filter=a',
headers: {
- host: '[123:123:123]:8000',
+ host: '[123:123::123]:8000',
'content-type': 'text/plain;x=y'
},
connection: {
@@ -92,7 +92,7 @@ describe('Utils', () => {
const host = Hawk.utils.parseHost(req, 'Host');
expect(host.port).to.equal('8000');
- expect(host.name).to.equal('[123:123:123]');
+ expect(host.name).to.equal('[123:123::123]');
done();
});
--
2.23.0

8
nodejs-hawk.spec
View File

@ -1,11 +1,12 @@
%global enable_tests 0 %global enable_tests 0
Name: nodejs-hawk Name: nodejs-hawk
Version: 4.1.2 Version: 4.1.2
Release: 2 Release: 3
Summary: HTTP Hawk authentication scheme Summary: HTTP Hawk authentication scheme
License: BSD-3-Clause License: BSD-3-Clause
URL: https://github.com/hueniverse/hawk URL: https://github.com/hueniverse/hawk
Source0: https://registry.npmjs.org/hawk/-/hawk-%{version}.tgz Source0: https://registry.npmjs.org/hawk/-/hawk-%{version}.tgz
Patch0: CVE-2022-29167.patch
BuildArch: noarch BuildArch: noarch
ExclusiveArch: %{nodejs_arches} noarch ExclusiveArch: %{nodejs_arches} noarch
BuildRequires: nodejs-packaging npm(boom) npm(cryptiles) npm(hoek) npm(sntp) BuildRequires: nodejs-packaging npm(boom) npm(cryptiles) npm(hoek) npm(sntp)
@ -17,7 +18,7 @@ Hawk is an HTTP authentication scheme using a message authentication code (MAC)
algorithm to provide partial HTTP request cryptographic verification. algorithm to provide partial HTTP request cryptographic verification.
%prep %prep
%autosetup -n package %autosetup -n package -p1
%nodejs_fixdep cryptiles "^2.0.5" %nodejs_fixdep cryptiles "^2.0.5"
%nodejs_fixdep boom "^2.10.1" %nodejs_fixdep boom "^2.10.1"
%nodejs_fixdep hoek "^0.9.1" %nodejs_fixdep hoek "^0.9.1"
@ -45,6 +46,9 @@ cp -pr package.json lib %{buildroot}%{nodejs_sitelib}/hawk
%{nodejs_sitelib}/hawk %{nodejs_sitelib}/hawk
%changelog %changelog
* Tue May 17 2022 houyingchao <houyingchao@h-partners.com> - 4.1.2-3
- Fix CVE-2022-29167
* Mon May 9 2022 liyanan <liyanan32@h-partners.com> - 4.1.2-2 * Mon May 9 2022 liyanan <liyanan32@h-partners.com> - 4.1.2-2
- License compliance rectification - License compliance rectification